This work addresses the high cost of manual security auditing in Rust projects, which heavily rely on third-party crates. The authors propose Cargo Scan, a novel approach that integrates interactive side-effect analysis with call-graph construction, leveraging Rust’s type and module systems to precisely identify potentially dangerous code and trace contextual dependencies. The method enables composable, automated security assessments and enhances practicality through module-boundary tracking and persistent audit reports. Experimental evaluation demonstrates that when auditing the hyper crate and its dependencies, the median amount of code requiring manual review is reduced to 0.2% of the original total. Among the top 10,000 crates on crates.io, approximately 3,500 are automatically classified as safe, while the remaining crates exhibiting hazardous side effects are concentrated in only about 3%, necessitating targeted human inspection.

We introduce Cargo Scan, the first interactive program analysis tool designed to help developers audit third-party Rust code. Real systems written in Rust rely on thousands of transitive dependencies. These dependencies are as dangerous in Rust as they are in other languages (e.g., C or JavaScript) -- and auditing these dependencies today means manually inspecting every line of code. Unlike for most industrial languages, though, we can take advantage of Rust's type and module system to minimize the amount of code that developers need to inspect to the code that is potentially dangerous. Cargo Scan models such potentially dangerous code as effects and performs a side-effects analysis, tailored to Rust, to identify effects and track them across crate and module boundaries. In most cases (69.2%) developers can inspect flagged effects and decide whether the code is potentially dangerous locally. In some cases, however, the safety of an effect depends on the calling context -- how a function is called, potentially by a crate the developer imports later. Hence, Cargo Scan tracks context-dependent information using a call-graph, and collects audit results into composable and reusable audit files. In this paper, we describe our experience auditing Rust crates with Cargo Scan. In particular, we audit the popular client and server HTTP crate, hyper, and all of its dependencies; our experience shows that Cargo Scan can reduce the auditing burden of potentially dangerous code to a median of 0.2% of lines of code when compared to auditing whole crates. Looking at the Rust ecosystem more broadly, we find that Cargo Scan can automatically classify ~3.5K of the top 10K crates on crates.io as safe; of the crates that do require manual inspection, we find that most of the potentially dangerous side-effects are concentrated in roughly 3% of these crates.